> That "svn" user can be set to have no valid shell, with its shell set
> to something like "/sbin/nologin". This is actually quite common for
> system services to have no valid shell. This is how the "apache" or
> "www-data" user is usually set up.
But that would prevent login using ssh, which I don't want. I can tell
the sysadmin "we need an SSH login for Charlie so he can use
Subversion", but I cannot say "You have to cut the SSH login for Marilyn
so she can't use Subversion".

*Truncated for clarity*
One option would be to generate a different (password enabled... of course) key for each unique user (all logging in with the same SVN user name). Then revoking SVN access is as simple as removing that user's key from the authorized_keys list.